← 返回 Skills 市场
139
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zimage
功能描述
使用 Z-Image 轻量级文生图接口生成图片。适用于用户要求“生成图片”“海报图”“封面图”“带中文文字的图片”,或直接说比例如 1:1、16:9、9:16 时。将用户的比例要求转换为 size 参数,按用户要求的数量精确执行且不得重复执行。调用接口 zImage,参数含 prompt(必填)与 size(可选...
安全使用建议
Before installing or using this skill: 1) Verify and trust the external endpoint (https://agent.mathmind.cn) — confirm that this is the intended API host for the key obtained from kexiangai.com; the mismatch between the key-provider domain and API endpoint is unusual and worth confirming with the skill author or provider. 2) Expect the skill to require an API key (X_API_KEY) despite the registry metadata saying none — do not provide highly privileged or long-lived credentials unless you trust the service. 3) The skill will persist the key in ~/.config/z-image/.env (permission 600) — if you prefer not to store keys on disk, provide the key per-session or use a limited-scope key. 4) Prompts and images are sent to the external API; avoid sending sensitive PII or confidential prompts. 5) If you need higher assurance, ask the author to: (a) correct the registry metadata to declare X_API_KEY as a required credential, (b) explain why the key issuer domain differs from the API host, and (c) optionally support in-memory/session-only keys instead of writing to disk. If you cannot validate those points, proceed cautiously (e.g., test with an expendable key).
功能分析
Type: OpenClaw Skill
Name: zimage
Version: 1.0.0
The skill contains shell injection vulnerabilities due to improper input sanitization in `scripts/set_key.sh` and `scripts/generate.sh`. Specifically, `set_key.sh` writes the user-provided API key directly into a configuration file (`~/.config/z-image/.env`) which is later sourced as a shell script by `generate.sh`, allowing for arbitrary command execution if a malicious key is provided. Additionally, `generate.sh` manually constructs JSON payloads using shell variables with inadequate escaping, creating a risk of JSON injection.
能力评估
Purpose & Capability
The skill's name/description (image generation) matches the behavior in SKILL.md and scripts (calls an image-generation HTTP API). However the registry metadata claims no required environment variables or primary credential, while SKILL.md and the scripts clearly require an X_API_KEY and an on-disk config path (~/.config/z-image/.env). That mismatch between claimed requirements and actual instructions is an incoherence.
Instruction Scope
Runtime instructions are narrowly focused on collecting prompt/size/count, validating them, and calling a fixed external endpoint. They also direct the agent to read an environment variable (X_API_KEY) and a local config file for the key, and to persist a provided key to ~/.config/z-image/.env. Reading/writing the skill's own config file is within scope for persistent credentials, but the instructions also tell the agent to obtain the key from 'kexiangai.com' while the actual API endpoint is 'agent.mathmind.cn' — an endpoint/provider mismatch that should be verified.
Install Mechanism
There is no install specification (instruction-only), and the included scripts are plain shell files. No external downloads, package installs, or archive extraction are present. This is low-risk from an installation-execution perspective.
Credentials
The SKILL.md and scripts require an X_API_KEY and optionally persist it in ~/.config/z-image/.env, but the skill registry metadata declares no required env vars or primary credential. The skill will read environment variables and a user-owned config file — reasonable for an API key but the undeclared credential is a mismatch and the script stores the key in plaintext in the user's home directory (file permissions set to 600, which is better than world-readable but still local plaintext). The skill transmits prompts (potentially sensitive) and the API key to an external endpoint.
Persistence & Privilege
The skill requests to store its own credential under ~/.config/z-image/.env and to read it on subsequent runs. It does not request system-wide config changes, set always:true, or modify other skills. Persisting its own key and creating a dot-dir is normal for this use-case.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zimage - 安装完成后,直接呼叫该 Skill 的名称或使用
/zimage触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
z-image Skill 1.0.0
- 初始发布,实现了基于提示词和尺寸参数的 API 图像生成。
- 支持用户通过描述、比例(如 1:1、16:9)或明确尺寸生成图片,并自动将比例转换为最佳 size。
- 精确控制生成图片的数量,杜绝重复或多余的请求。
- 完善参数校验、输入补全、密钥掩码处理及错误提示。
- 内置推荐分辨率映射和详细的输入校正与异常处理流程。
元数据
常见问题
zimage 是什么?
使用 Z-Image 轻量级文生图接口生成图片。适用于用户要求“生成图片”“海报图”“封面图”“带中文文字的图片”,或直接说比例如 1:1、16:9、9:16 时。将用户的比例要求转换为 size 参数,按用户要求的数量精确执行且不得重复执行。调用接口 zImage,参数含 prompt(必填)与 size(可选... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 139 次。
如何安装 zimage?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zimage」即可一键安装,无需额外配置。
zimage 是免费的吗?
是的,zimage 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
zimage 支持哪些平台?
zimage 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 zimage?
由 cmhan(@runninghcm)开发并维护,当前版本 v1.0.0。
推荐 Skills